The Scary Truth About IBM i Security Pushbacks


Steve Pitcher, iTech Solutions

If you’re looking to make improvements to your IBM i security, then you need to be able to get your whole team on the same page, which sometimes can mean common oppositions.

But, does your team know the scary truth on the other side of those rebuttals?

Here are a number of counterpoints to help you make security a priority in your shop.

1. We trust our employees

It is important to hire those you trust and to maintain relationships to continuing to vet security worthiness. However, realism is called for as well.

Do you give all employees full access keys to your manufacturing facility? Do you give them all company credit cards? How about full access to your financial systems?

Of course not, unless you give them *ALLOBJ special authority and therefore they own the system. Do you really think somehow a menu system is going to keep them out of the sensitive stuff?

Look at the corollary. Should your employees trust you?

When they give you their social insurance number, date of birth, legal name, banking information for direct deposit,  you are responsible for protecting that data. I would imagine that any employee would assume you have proper data controls in place. Furthermore, I would assume as someone who is security literate,  if I give anyone my information, it is properly controlled and also encrypted so that it can’t be read easily when exported to a USB drive, sent to tape or intercepted in transit.

2.We have a firewall

And so does everybody else.

When was the last time your firewall was taken down for software patching? Whether personal or corporate, firewalls are just one of those devices that never gets updated because of two reasons:

1. The update can be complex, expensive and not everyone has the benefit of having resources on hand to do it
2. There is almost always an outage unless you have a redundant firewall configuration.

How many holes have been intentionally punched in your firewall for services? FTP? Telnet? SMB? No way, you say? You’d be surprised by how many IBM i partitions are publicly accessible via firewall NAT rules.

Have you ever had a network intrusion test performed? How about an independent firewall rules review? How do you know your firewall is keeping the bad guys out? Are you actively monitoring the vast firewall logs?

A firewall is a must on the perimeter but what about inside the firewall? Most security breaches happen from the inside. Internal attacks are far more common and easier for people to get away with due to lax controls on data. Because of course, people trust their employees.

3. We don’t want to break anything

That’s understandable. Simple question: do you want to break things in a deliberate, controlled fashion or do you want to be forced into a situation with all systems down? Rest assured, most (if not all) security incidents turn into disaster recovery scenarios.

When would you rather realize there are gaps in your processes? Flaws in your procedures? If your approach is to avoid updating and maintaining your systems in order to avoid what you don’t know, you will end up learning the hard way.

Simply put, responsible maintenance and updating may expose areas your knowledge is lacking or protocols that need updating. It is going to be less disruptive as part of a project than in an emergency. Especially since the emergency you may be dealing with is a breach, you don’t need the chaos of untested procedures making a terrible situation worse.

4. We’re too small

55% of SMBs had a security breach in 2016. 61% had a breach in 2017.

SMBs are the new favorite for attackers for a variety of reasons. One is that they think they’re too small to have anything to worry about and therefore don’t bother hardening their defenses. Other reasons are small staffing and meager budgets to conduct proper and regular security maintenance and testing.

The cost of weak security is too great to ignore in budgeting.

5. Hackers don’t know IBM i

I’m not a mechanic but I can change my car’s oil, oil filter, tires and headlights with a little time and a couple of YouTube videos. Don’t rely on the supposed ignorance of others being your safety net.

John Lennon once said “I’m an artist, and if you give me a tuba, I’ll bring you something out of it.” Technology is no different. I don’t know COBOL, but if you give me a compiler I’ll bring you something out of it.

6. Nobody wants our data

All data has value. It doesn’t matter what industry you’re in or how big your company is. Outsiders will find something of value that they can exploit. What if your data is only important to you? Well, what if you were compromised and couldn’t access your data? What if your data was encrypted by malicious software and you were extorted? The value isn’t necessarily in the data. It’s the fact that the data has value to you.

7. Security will cost us too much

Even when security is free companies don’t take advantage of it. WannaCry was patched free of charge by Microsoft, yet many months later many thousands of customers hadn’t bothered to patch their systems.

Of course, adding security will be a cost in either time or dollars or both. It’s like insurance. What’s a security breach going to cost you in downtime, a tarnished reputation, and data loss?


When it comes down to it, conversations surrounding your IBM i security need to be had. It’s something that simply can’t be avoided in our data-driven world.

iTech Solutions can help get the conversation started so that you can be sure your business is protected. Click here to schedule a security assessment.


Leave a Comment

Your email address will not be published. Required fields are marked *